`autoRefreshSession: false` does nothing with `createBrowserClient`

[Justinyu1618]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When you set the autoRefreshSession: false setting when creating the browser client, the client auto refreshes the token anyways.
i.e.

const client =  createBrowserClient<Database>(dbClientConfig.url, dbClientConfig.anonKey, {
    auth: {
      autoRefreshToken: false,
    },
  });

console.log(client.auth.autoRefreshToken) # true

This is because in the createBrowserClient code, it will always set this setting as true if it's in the browser.

ssr/src/createBrowserClient.ts

Line 139 in a1b60ba

autoRefreshToken: isBrowser(),

This is misleading, and if this is intentional, the typing interface should reflect that so users can't pass in autoRefreshToken, detectSessionInUrl or persistSession

To Reproduce

Try to create a client using createBrowserClient with autoRefreshToken: false

Print out the result, it's setting for autoRefreshToken will still be true

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• OS: [e.g. macOS, Windows]
• Browser (if applies) [e.g. chrome, safari]
• Version of supabase-js: [e.g. 6.0.2]
• Version of Node.js: [e.g. 10.10.0]

Additional context

Add any other context about the problem here.

[j4w8n]

Yeah that's intentional. Unsure if they are open to changing the original options typing from supabase-js, but could be.

Why do you want it to not autorefresh?

[thisislvca]

Dumb question, can't you just not expose that in the createBrowserClient function options instead?

[j4w8n]

Dumb question, can't you just not expose that in the createBrowserClient function options instead?

My apologies, I didn't mean to imply changing the OG typings. The ssr library is simply importing and using them. I meant that I'm unsure if they're open to changing their strategy.

I can see where it would make sense, so you understand what can be changed in the context of ssr clients. Could probably do a simple omit.

[thisislvca]

Ahh ok cool sounds good, that was what I had in mind 😅

[brunostuani]

Well there's a bug here - if by any chance the server returns a refresh_token_not_found, it will keep retrying, and because it's a retriable error, there will never be a response from other API calls like database requests, that relies on authentication.

To fix this I had to create a custom fetcher (which I already did to get SSR caching working), and converts the 'refresh_token_not_found' into a 200 OK response, to trick the library into stop trying to automatically refresh the token.

[thisislvca]

Yeah I also encountered this error, session still works but everything else breaks. No idea why nobody else is seeing this happening. I think this might also be connected with the issues I mentioned here...

Also, shouldn't the refresh token always be there? I remember when I was using the auth-helpers-nextjs package, even if the session had expired for a long time, the refresh token was still there, even after months... Def a big issue.